HIPAA and Genetic Information: GINA Compliance for Healthcare Providers

Genetic information sits at the intersection of two federal laws, and that is what makes it distinct from the rest of the protected health information (PHI) a provider handles. HIPAA governs how genetic data is protected as PHI, while the Genetic Information Nondiscrimination Act (GINA) governs how it may — and may not — be used. For practices that order genetic testing, document family history, or store results, getting both right is essential, because genetic data is uniquely sensitive: it speaks to a patient’s future health, and it implicates blood relatives who were never your patients.

How HIPAA and GINA fit together

The HIPAA Privacy Rule explicitly defines genetic information as health information and therefore as PHI when it is individually identifiable. It also prohibits health plans from using or disclosing genetic information for underwriting purposes. GINA adds a second layer: it bars health insurers from using genetic information to set eligibility or premiums, and it bars employers from using it in employment decisions. The key point for providers is that family medical history counts as genetic information under both frameworks. A note that a patient’s mother and sister had a particular condition is genetic information, and it deserves the same protection as a sequencing report.

Where providers run into trouble

The most common exposure points are predictable once you know to look for them: genetic test results sent to or received from a laboratory without a Business Associate Agreement (BAA) in place; family history captured in intake forms and then shared more broadly than the minimum necessary standard allows; results disclosed to employers or plans in ways GINA prohibits; and research uses of genetic data without proper authorization or de-identification. Because genetic information about one patient reveals probabilistic information about their relatives, the minimum necessary standard deserves particularly careful attention here.

Start with a Security Risk Analysis

The HIPAA Security Rule requires an accurate, thorough Security Risk Analysis (SRA) under 45 CFR § 164.308(a)(1)(ii)(A). For a practice handling genetic data, the SRA should account for every system that stores or transmits it — the EHR, the lab interface, any genetic counseling notes, and research databases — and assess the threats to each. Given the heightened sensitivity, many practices apply stricter access controls and audit logging to genetic records than to general chart data, and the SRA is where those decisions get documented.

The proposed 2026 Security Rule update

In December 2024, HHS published a Notice of Proposed Rulemaking (NPRM) that would strengthen the HIPAA Security Rule. It is a proposed rule, not finalized, but its provisions — a maintained asset inventory, encryption of PHI at rest and in transit, multi-factor authentication, and tighter access controls — map well onto the extra care genetic data demands. If finalized as written, organizations would have roughly a 240-day window to comply after the final rule is published. Strengthening access controls and audit logging for genetic records now is a sound step regardless of the final text.

How Medcurity helps

Medcurity gives providers a guided platform to complete and maintain the Security Risk Analysis, document access-control and minimum-necessary decisions, track lab and vendor BAAs, and keep the records OCR expects organized in one place. Pricing is $499/year (about $42/month) for a single organization; larger groups and networks can request a quote. To see how this fits the wider program, review our HIPAA compliance checklist and our guide to the HIPAA risk assessment.

Frequently asked questions

Is family medical history considered genetic information?

Yes. Under both HIPAA and GINA, the manifestation of a disease or disorder in family members is genetic information, so documented family history must be protected and used with the same care as a genetic test result.

What does GINA add on top of HIPAA?

GINA prohibits health insurers from using genetic information for eligibility or premiums and prohibits employers from using it in employment decisions. HIPAA protects the information itself; GINA restricts how it can be used.

Do we need a BAA with a genetic testing lab?

If the lab creates, receives, maintains, or transmits PHI on your behalf, a Business Associate Agreement is required. Confirm the arrangement and the BAA before sending any identifiable specimens or data.

Can genetic information be used in plan underwriting?

No. The HIPAA Privacy Rule prohibits health plans from using or disclosing genetic information for underwriting purposes, and GINA reinforces that bar for health insurance eligibility and premium setting.